CVE-2017-20254

The CVE-2017-20254 entry concerns the Joomla! Component User Bench 1.0, which is vulnerable to SQL injection via the userid parameter in index.php? option=com_userbench&view=detail&userid. The underlying flaw allows unauthenticated attackers to execute arbitrary SQL and exfiltrate sensitive data ...

Glances - Information Disclosure

Glances 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges. id: CVE-2026-32596 info: name: Glances -...

D-Link DIR-859 - Information Disclosure

A critical information disclosure vulnerability exists in D-Link devices where sensitive device account information including credentials can be retrieved by sending an unauthenticated request to /getcfg.php endpoint with the parameter SERVICES=DEVICE.ACCOUNT. This could allow attackers to obtain...

Electrolink FM/DAB/TV Transmitter - Credentials Disclosure

A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext. id: CVE-2025-28228 info: name: Electrolink FM/DAB/TV Transmitter - Credentials Disclosure...

Glances - Information Disclosure

Glances 4.5.1 contains an information disclosure vulnerability caused by unfiltered exposure of sensitive configuration data via the /api/4/config REST API endpoint, letting remote attackers access credentials, exploit requires API access. id: CVE-2026-30928 info: name: Glances - Information...

CVE-2026-48818

A flaw was found in Starlette, a lightweight ASGI framework. On Windows systems, the StaticFiles component is vulnerable to Server-Side Request Forgery SSRF. A remote attacker can exploit this by providing a specially crafted Universal Naming Convention UNC path, which causes the system to initia...

CVE-2026-53840

OpenClaw CVE-2026-53840 affects the OpenClaw MCP stack before version 2026.5.12. The issue is an information-disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. If an attacker controls or can compromise an MCP end...

EUVD-2026-37024

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain...

MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

PT-2026-50129

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678...

GHSA-QXH6-94W6-9R5P @angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata such as headers from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive...

GHSA-95QP-CMMW-MGQV @angular/service-worker: Request Credential & Cache Policy Stripping

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

PT-2026-49560

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

CVE-2026-54421

In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...

PT-2026-49105

Name of the Vulnerable Software and Affected Versions OpenStack Ironic versions prior to 35.0.2 Description When applying a PATCH request to update fields in volume properties for which a user is authorized, the system may return unredacted sensitive information, such as iSCSI credentials. This...

CVE-2026-9062

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...

CVE-2026-9062 Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...

Linux Distros Unpatched Vulnerability : CVE-2026-1836

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return...

CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation

OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...

GHSA-3GP5-Q4JW-3V94 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL

Summary Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients...